Enterprise ↑Phase 5 · Static / Code & Mobile

APK Code Analyzer

ECB/MD5/SHA1, exec(), DexClassLoader, WebView JS bridge, SharedPrefs, SQLite, Clipboard, root detection, obfuscation, debug logs, tapjacking, 14 tracker SDKs. Part of AuditCore's automated security audit pipeline — runs on every scan in the Enterprise tier and above, with findings normalized into a single severity-rated table.

What is APK Code Analyzer?

APK Code Analyzer runs in the Static / Code & Mobile phase of every AuditCore scan that includes it. Source-code, dependency and mobile-binary analysis — Semgrep rules, gitleaks secrets, Trivy CVEs, APK / IPA manifest, permissions, strings, network and native-binary hardening.

Out of the box it covers: ECB/MD5/SHA1, exec(), DexClassLoader, WebView JS bridge, SharedPrefs, SQLite, Clipboard, root detection, obfuscation, debug logs, tapjacking, 14 tracker SDKs. Findings are normalized into AuditCore's vulnerability model so they appear next to results from every other scanner — no separate tabs, no tool-specific jargon, one CVSS-rated table.

If you've ever wondered which scanners actually run when you click "Start scan" on AuditCore, this is one of them. The full pipeline is documented per phase, and you can see exactly which tools fired on any given scan from the live terminal feed.

What it tests

ECB/MD5/SHA1, exec(), DexClassLoader, WebView JS bridge, SharedPrefs, SQLite, Clipboard, root detection, obfuscation, debug logs, tapjacking, 14 tracker SDKs
Runs automatically as part of any Enterprise-tier scan and above
Findings appear in the standard AuditCore severity table (Critical / High / Medium / Low / Info)
Results are bundled into the PDF report and exposed via the API

Where it runs in the AuditCore pipeline

Phase 5/5 · Static / Code & Mobile
Source-code, dependency and mobile-binary analysis — Semgrep rules, gitleaks secrets, Trivy CVEs, APK / IPA manifest, permissions, strings, network and native-binary hardening.

Source: scanners/mobile/apk_code_analyzer.py

Sample findings

APK Code Analyzer fired on a real target

Typical run produces between 0 and dozens of normalized findings depending on the target's posture. Each finding includes severity, evidence, affected URL/parameter, and a remediation hint.

Available in Enterprise tier and above

Full pentest suite. Adds BOLA / BFLA, sqlmap, SSRF, deep GraphQL, race conditions, AI agent / prompt injection, business logic, mobile binary analysis, code review. Per-domain license — pay once, rescan unlimited.

Other static / code & mobile scanners

Semgrep

p/security-audit rules

Gitleaks

secret detection in git history

Trivy

dependency CVEs

MobSF

APK/IPA analysis via REST API (requires Docker)

FAQ

What does APK Code Analyzer test for?

ECB/MD5/SHA1, exec(), DexClassLoader, WebView JS bridge, SharedPrefs, SQLite, Clipboard, root detection, obfuscation, debug logs, tapjacking, 14 tracker SDKs

Which AuditCore plan includes APK Code Analyzer?

Available from the Enterprise plan ($499) and up. Higher tiers also include this scanner — license once, rescan unlimited.

Is APK Code Analyzer safe to run on production?

Yes — APK Code Analyzer runs in the Static / Code & Mobile phase, which is non-intrusive. It only reads data the target already exposes (DNS, HTTP responses, public files, headers).

Where does APK Code Analyzer run in the AuditCore scan pipeline?

Phase 5/5 — Static / Code & Mobile. Source-code, dependency and mobile-binary analysis — Semgrep rules, gitleaks secrets, Trivy CVEs, APK / IPA manifest, permissions, strings, network and native-binary hardening.

Can I rerun APK Code Analyzer without paying again?

Yes. AuditCore uses a per-domain license model — once you've purchased a tier for a domain, every rescan (manual or scheduled) is included. No metered usage.